Friday, April 12, 2024

StopCrypt Ransomware Utilizing Multi-Stage Shellcodes To Attack Windows

A new variant of StopCrypt ransomware has been discovered. It executes multi-stage shellcodes before launching a final payload containing the file encryption code.

This malware uses several techniques, such as detection evasion, a time-delaying loop of 600 million iterations, and several other mechanisms.

Moreover, the ransomware also uses scheduled tasks for its payload execution with command-line arguments, which are executed every five minutes. 

Technical Analysis

According to the reports shared with Cyber Security News, the malware infection cycle begins with creating a string of msim32.dll, but it is not even used in the ransomware execution process. 

Millions of iterations have been set up for a time-delay loop in which the same data is copied to a location with an incremental iteration value.

Similar techniques have been analyzed to be used throughout the malware execution to evade detection.

The evasion is due to the artificial extension time of the malicious code.

Incremental Iteration code (Source: SonicWall)

After this, the code allocates memory, using the LocalAlloc API and VirtualProtect to change the permissions of the memory block to READ, WRITE, and EXECUTE.

First Stage Payload

This stage resolves the required API using the Kernel_GetProcAddress API.

The ransomware creates API function calls by creating the function names or strings that contain the API names directly on the stack.

This is done as a replacement for using straightforward API calls that are easily detected and identified.

The addresses resolved by the malware are for the following APIs:

  • GlobalAlloc
  • VirtualAlloc
  • SetLastError
  • Sleep
  • CreateToolHelp32Snapshot
  • Module32First
  • CloseHandle 

CreateToolhelp32Snapshot is used in the malware code along with all of its modules to take a snapshot of the current process.

Moreover, the information about the first module of the process is extracted using Module32First API.

Snapshot code with all its modules (Source: SonicWall)

Second Stage Payload

The second stage of the malware performs the primary task of the shellcode, which is process hollowing.

The API functions created in this phase are resolved to the following addresses:

  • MessageBoxA
  • GetMessageExtraInfo
  • WinExec
  • CreateFileA
  • WriteFile
  • CloseHandle
  • CreateProcessA
  • GetThreadContext
  • VirtualAlloc
  • VirtualAllocEx
  • VirtualFree
  • ReadProcessMemory
  • WriteProcessMemory
  • SetThreadContext
  • ResumeThread
  • WaitForSingleObject
  • GetModuleFileNameA
  • GetCommandLineA
  • NtUnmapViewOfSection
  • NtWriteVirtualMemory
  • RegisterClassExA
  • CreateWindowExA
  • PostMessageA
  • GetMessageA
  • DefWindowProcA
  • GetFileAttributesA
  • GetStartupInfoA
  • VirtualProtectEx

The ransomware also checks the FileAttributes of a non-existent file for unknown purposes, which is speculated to be used to identify specific systems where the file might be present.

After certain operations, the ransomware calls the VirtualAlloc API to allocate memory with READ and WRITE permissions and store the path returned by the GetModuleFileNameA API.

Following this, the kernel32.GetStartupInfoA API is called for extracting startup information.

Final Payload

During the final process, the ransomware launches a resumed process with the parameter “Admin IsNotAutoStart IsNotTask” after which the ransomware creates a new directory in the C:\\Users\<user_name>\AppData\Local and copies the current malware image into it.

Further, it launches the icacls.exe process, the command-line utility used to view and modify access control lists (ACLs) in Windows.

The command used for executing icacls.exe denies the group permission to delete the specified file for “Everyone,” which prevents the ability to delete the malware.

Scheduled task (Source: SonicWall)

Additionally, the malware creates a scheduled task to execute a copy of the final payload with a command line argument -Task—every 5 minutes.

The ransomware encrypts the files and adds the .msjd extension to them, while putting a ransomware note under the name _readme.txt on every encrypted folder.

Ransom note (Source: SonicWall)

Indicators Of Compromise

  • GAV: StopCrypt.RSM (Trojan)

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.


Latest articles

6-year-old Lighttpd Flaw Impacts Intel And Lenovo Servers

The software supply chain is filled with various challenges, such as untracked security vulnerabilities...

Hackers Employ Deepfake Technology To Impersonate as LastPass CEO

A LastPass employee recently became the target of an attempted fraud involving sophisticated audio...

Sisence Data Breach, CISA Urges To Reset Login Credentials

In response to a recent data breach at Sisense, a provider of data analytics...

DuckDuckGo Launches Privacy Pro: 3-in-1 service With VPN

DuckDuckGo has launched Privacy Pro, a new subscription service that promises to enhance user...

Cyber Attack Surge by 28%:Education Sector at High Risk

In Q1 2024, Check Point Research (CPR) witnessed a notable increase in the average...

Midnight Blizzard’s Microsoft Corporate Email Hack Threatens Federal Agencies: CISA Warns

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive concerning a...

Taxi App Vendor Data Leak: 300K Passengers Data Exposed

Around 300,000 taxi passengers' personal information was left exposed on the internet, causing concern...
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Top 3 SME Attack Vectors

Securing the Top 3 SME Attack Vectors

Cybercriminals are laying siege to small-to-medium enterprises (SMEs) across sectors. 73% of SMEs know they were breached in 2023. The real rate could be closer to 100%.

  • Stolen credentials
  • Phishing
  • Exploitation of vulnerabilities

Related Articles